We ran the tools on several Linux distributions, among which Ubuntu 11.10/12.04, Fedora 16 and Gentoo Linux. Our main FluxBB instance ran on a Gentoo server hosted on the UT campus, although most code scanning tools were used on our systems locally.

RIPS

Preface

We have evaluated RIPS v0.53 against FluxBB v1.4.8 with the Fancybox v1.2.1 modification installed. Provided you already have access to a PHP-enabled HTTP server, installing RIPS is trivial; extracting the ZIP archive is all it takes. RIPS features a simple web based frontend, allowing for a target directory to be specified, along with a verbosity level and vulnerability types to scan for.

Results

RIPS was used to scan FluxBB with the Fancybox modification installed. The second verbosity level (user + file/DB tainted) appears to offer a managable number of results. In roughly five minutes RIPS has identified 352 potential issues, of which the majority (~75%) was classified as XSS. Of particular interest is a warning shown in the results summary: "Code is object-oriented. This is not supported yet and can lead to false negatives.".

The detailed results show the code path to any given issue (a backtrace), along with any relevant conditional statements. A quick look at the results show that RIPS has indeed pointed out some actual issues (for example XSS and LFI), yet many results appear to be potential false positives and require further investigation.

Unfortunately the results seem hardly relevant for our specific verification requirements (V9 and V11), as RIPS does not cover the data protection criteria (V9) nor high-level HTTP requirements (as outlined in V11). On the other hand it probably is useful for our analysis of the Fancybox plugin.

Yasca

First impression

• Powerful plugin system looked promising.
• Generates an overview with the results of each plugin run.

Number of warnings

Utility of results

All plugin results ranged from errors (RATS) to obviously faulty output (PHPLint).

RATS

First impression

RATS is a straightforward static code scanner, it can scan C, C++, PHP, Perl and Python. The program can be obtained either by linux source or win32 binary. The help function is clear enough to get the program running. The only thing the program does is look for functions that are specified in the used database (an xml file). The program cannot distinguish if a function is used correct or not so it always gives the user a warning. These warnings are categorized in low, medium and high.

Results

High: Use of fopen 11 times. 7 times in include/cache.php
once in include/functions.php
once in install.php
once in extern.php
once in db_update.php

Use of mail once in include/email.php.

Medium: Use of is_readable twice
once in include/dblayer/sqlite.php
once in admin_index.php

Use of is_dir once in include/functions.php Use of fsockopen once in include/email.php

Low: The use of dirname resulted in 33 warnings. The use of fopen resulted in 10 warnings. The use of is_dir resulted in 2 warnings. The use of file resulted in 1 warning. The use of unlink resulted in 6 warnings. The use of basename resulted in 7 warnings. The use of rename resulted in 1 warning. The use of chmod resulted in 1 warning.

Final remarks

Because the use of RATS is limited to looking if functions are used in the code, and it is not able to tell if they are used correct this still has to be done manually. Making it useful to start looking for exploits but the tool does not give you more than that.

CodeSecure

First impression

It is obvious that CodeSecure is a professional tool. Installation is straightforward and the web application is very well made, user friendly and is delivered with excellent documentation. Unfortunately CodeSecure did not respond well to the academic license provided to us, and will not allow us to scan FluxBB.

PHPlint

First impression

PHPlint is a 'spartan' tool that requires compiling and Linux shell trickery to be useful for an entire project. Since the tool can only scan one PHP file at a time, it's reporting needs to be automated using a shell command for a complete overview. The presentation of the reporting done by PHPlint is very much bare bones as well.

Number of warnings

PHPlint generates a vast number of warnings, more than can be considered useful. The output for the entire project measures over 32000 lines with over 10000 warnings. This way too much to be useful. Furthermore, no distinction is made between types of warnings, making it very cumbersome to process these warnings into actual code.

Utility of results

The vast amount of results given by PHPlint, and its lack of configurability in what types of warnings to give, making it much too verbose. There may be good warnings to be found buried within the vast amounts of text, but most warnings we scanned over were clearly not a problem. Warnings were given on almost every string literal, and anything that required type checking that was not available to the scanner at this point. Furthermore, this tool proved to be incompetent in its awareness of being within a project, it yielded warnings for every function call or other reference to other files.

Clearly, there are better tools up for the job.